Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1052
  • Last Modified:

Sonicwall Pro 4060 xAuth

Good Morning,

I have set up our new Sonicwall Pro 4060 and all is fine except that Global VPN users can't log in if I use xauth. If i set it for "allow unauthenticated users" then users can connect, but I need to have it working with xauth. At this point, I don't see why xauth is not working.



Please help.

Helmut K
0
HELMUTHK
Asked:
HELMUTHK
  • 3
  • 2
1 Solution
 
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
0
 
HELMUTHKAuthor Commented:
Thanks for the info, but this does not resolve my problem.

Here is more information on setup and config:

I am logging in from Windows XP machine with sonicwall client. Also tried the login from a windows 7 system, with the latest Sonicwall Global VPN client. Same results. OK if  set it for "allow unauthenticated users", but does not accept user ID/Password when set to use  xauth on the Pro 4060.

Here is my config from the 4060:
General tab
Wan Group VPN
IKE using preshared secret

Proposals phase1
DH group = Group2
ENC = 3des
Auth = SHA1
Lifetime = 28800

Proposals phase2
Protocol = ESP
ENC = 3DES
Auth = MD5

Enable perfect forward secrecy = yes
DH group = Group2
lifetime = 28800

Advanced Tab
Management via this sa = https

when set for xauth: User Group for XAUTH = Trusted Users.
I also created a new group called Global VPN Users, added the users/mambers to this group, VPN access to LAN subnets. Wont allow user\password to connect.

When set for "allow Unauthenticated VPN client access" = LAN Subnets, connects properly.

Client Tab
Allow connections to = This Gateway Only


Thanks,

Helmut K
0
 
KonsultantCommented:
Hi Helmut,

Can you provide logs from GVC and from the sonicwall. You should see in the logs the reasons why the user was not authenticated. Also, for your testing it may not work when you are connected as admin from the same source IP address. So make sure that when you are testing you are not logged in as Admin at the same time.

Good luck!
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
HELMUTHKAuthor Commented:
Log from 4060:

1 03/21/2012 10:40:12.656 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
2 03/21/2012 10:40:12.656 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
3 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Reply sent        
4 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Request Received        
5 03/21/2012 10:39:47.768 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF9 state=9        
6 03/21/2012 10:39:26.608 Alert Intrusion Prevention Probable port scan detected 173.194.33.40, 80, X1 209.53.201.211, 49578, X1 TCP scanned port list, 58864, 31332, 28539, 16340, 53586, 32797, 47627, 42182, 6607, 49578  
7 03/21/2012 10:39:11.336 Alert Intrusion Prevention Possible port scan detected 173.194.33.40, 80, X1 209.53.201.211, 45041, X1 TCP scanned port list, 11445, 54875, 45123, 55020, 32341  
8 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Reply sent        
9 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Request Received        
10 03/21/2012 10:38:47.656 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF8 state=9        
11 03/21/2012 10:38:41.240 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
12 03/21/2012 10:38:41.240 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
13 03/21/2012 10:38:41.064 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
14 03/21/2012 10:38:40.816 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500    
15 03/21/2012 10:38:38.656 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
16 03/21/2012 10:38:38.656 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
17 03/21/2012 10:38:38.416 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
18 03/21/2012 10:38:38.144 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
19 03/21/2012 10:38:25.304 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
20 03/21/2012 10:38:25.144 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
21 03/21/2012 10:38:24.880 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
22 03/21/2012 10:38:12.784 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
23 03/21/2012 10:38:12.784 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
24 03/21/2012 10:38:12.640 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
25 03/21/2012 10:38:12.416 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
26 03/21/2012 10:38:08.064 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
27 03/21/2012 10:38:08.064 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
28 03/21/2012 10:38:08.016 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
29 03/21/2012 10:38:07.896 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
30 03/21/2012 10:37:57.704 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
31 03/21/2012 10:37:57.608 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
32 03/21/2012 10:37:57.608 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device      
33 03/21/2012 10:37:57.496 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
34 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Reply sent        
35 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Request Received        
36 03/21/2012 10:37:47.576 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF7 state=9        
37 03/21/2012 10:37:44.144 Info Authenticated Access GUI administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin  
38 03/21/2012 10:37:44.144 Info Authenticated Access Configuration mode administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
39 03/21/2012 10:37:44.144 Info Authenticated Access Administrator logged out 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 User logged out  
40 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Reply sent        
41 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Request Received        
42 03/21/2012 10:36:47.464 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF6 state=9        
43 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Reply sent        
44 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Request Received        
45 03/21/2012 10:35:47.352 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF5 state=9        
46 03/21/2012 10:34:36.592 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
47 03/21/2012 10:34:36.592 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
48 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Reply sent        
49 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Request Received        
50 03/21/2012 10:33:47.176 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF3 state=9        


Log from laptop:

Shows "user authentication has failed"


It must be something quite simple. such as spelling or caps, etc, but I don't see it, and I have checked the configuration many times. I guess I will have to go over it all again.

Regards,

helmut K.
0
 
HELMUTHKAuthor Commented:
Hello All,

I resolved the problem. The user ID is case sensitivr as well as the password.

Problem Fixed.

Thanks to those who tried to help.

Helmut K.
0
 
KonsultantCommented:
Yes it is... It never crossed my mind that you would use different capitalization.
Good luck!

P.S. I had problem in past testing GVC from the same network as WAN interface. I am not sure if this is valid today.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now